How to create point to point vpn with full client access

[vverm]

read through: http://openvpn.net/index.php/open-sourc ... howto.html

I'm unable to get routing to anything but the openVPN server after following the above setup guide. My setup is as follows:

local lan:
192.168.45.5 openvpn server
255.255.255.0
192.168.45.1 netopia

Server configuration file:
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key

Client configuration file:
remote external.ip
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
route 192.168.45.0 255.255.255.0

I've added the static route on my gateway to include 10.8.0.0 (have also tried 10.8.2.0) to 192.168.45.5, but have no luck pinging anything but the 10.xx addresses and the openVPN server 192.168.45.5. Also, I have added the ip forwarding reg to the openVPN server. After looking through the forums and doing some searching I can't seem to come up with anything useful. Some help would be much appreciated. Thank you,


Jake

[janjust]

if you cannot ping the netopia host 192.168.45.1 from the VPN client then check if the netopia host knows that packets coming from 10.8.0.0/24 need to go back to the openvpn server - is this route present on 192.168.45.1 ?

[vverm]

Thank you for the reply. I tried added the static route 10.8.0.0 mask 255.255.255.252 192.168.45.1 on the openVPN (.45) server and that doesn't work. When I add that route I lose ping to 192.168.45.5 from the client side as well.

Just to be sure the subnet mask should be 255.255.255.252 in the netopia correct?

[janjust]

nope it's the other way round: the netopia router needs to know where to send stuff back to...

as an alternative you can use masquerading on the vpn server to hide the VPN IPS:

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

[vverm]

Sorry to be bouncing around here... but its kind of working now.

client side gateway static routes:
192.168.45.0 255.255.255.0 10.1.10.150
10.8.0.0 255.255.255.0 10.1.10.150

on server side netopia gateway static routes:
set ip static-routes destination-network 10.1.10.0 netmask 255.255.255.0
set ip static-routes destination-network 10.1.10.0 interface ip-address
set ip static-routes destination-network 10.1.10.0 gateway-address 192.168.45.5
set ip static-routes destination-network 10.1.10.0 metric 1
set ip static-routes destination-network 10.1.10.0 rip-advertise Never
set ip static-routes destination-network 10.8.0.0 netmask 255.255.255.0
set ip static-routes destination-network 10.8.0.0 interface ip-address
set ip static-routes destination-network 10.8.0.0 gateway-address 192.168.45.5
set ip static-routes destination-network 10.8.0.0 metric 1
set ip static-routes destination-network 10.8.0.0 rip-advertise Never


I am able to ping the full network from the one client, but unable to route though the vpn using any other computer on the client side. From the server side I am unable to ping the client network? Is there a different point to point setup I should be going about this? I need to be able to have a ptp tunnel with access to each network from each side.... This is driving me nuts

[janjust]

ah , you hadn't mentioned that you needed subnet-to-subnet access.
Basically you need to do the same , but then in reverse: the machines on your client-side LAN need to know where to find the server-side LAN. So on the client-side GW you also need to add a route for the server-side LAN . This route needs to point at the VPN client